What happened
A finance employee in Arup’s Hong Kong office received a message, said to be from the firm’s UK-based chief financial officer, about a confidential transaction. The employee was suspicious at first, because the request had the shape of a phishing email. The doubt was overcome by what came next: a video call. On the call were the chief financial officer and several other colleagues the employee recognised. Reassured, the employee carried out the instructions, making fifteen transfers totalling about HK$200 million, roughly US$25 million, to five Hong Kong bank accounts.
Everyone else on the call had been faked. The “colleagues” were AI-generated deepfakes, built from publicly available video and audio of real Arup staff, convincing enough to pass as the executives they imitated during the meeting. The fraud came to light only when the employee later checked with the corporation’s head office.
Hong Kong police described the case in February 2024, and Arup, a global engineering and design firm, confirmed in May 2024 that it had been the target. No arrests have been announced specifically for the Arup fraud, no perpetrators have been publicly identified, and the money has not been recovered. The detail that unsettled people was how ordinary the defence had been and how easily it failed: the employee did the sensible thing and asked to see the people giving the instruction, and seeing them was exactly the trick.
What an auditable version would have shown
A high-value transfer should be answerable to a simple question after the fact: what authorised it, and was that authority verified. Here the authorisation was a face on a screen, and nothing recorded whether that face had been confirmed through any channel independent of the call itself. An auditable version records, for each high-value payment, the instruction, the approval, and the out-of-band check that confirmed the instruction was genuine, captured at the time. With that record the missing step is visible in advance: there was no confirmation independent of the very call that was the attack.
Where the gap was
The gap is older than deepfakes, and deepfakes made it lethal. The control on a large transfer was visual recognition of the people asking for it, and visual recognition is now forgeable in real time. Seeing and hearing a known executive is no longer evidence the instruction is real. The control that holds is an AuthorityGate: a high-consequence action proceeds only when the source of the instruction is verified through a trusted, independent channel, not on the strength of how convincing the request looks or sounds. A ConductRecord preserves what authorised each action, so an organisation can show that the verification happened rather than assume it did. The same logic governs an AI agent acting on an instruction and a person acting on one: the question is whether the source was actually authorised, and whether that can be proven.
What governance should have looked like
The lesson is not that the employee was careless. The employee sought reassurance and was given a manufactured version of exactly the reassurance a careful person would seek. The lesson is that identity confirmed by sight and sound can no longer gate money, and that the verification of a high-value instruction has to move to a channel the attacker does not control: a callback to a known number, a second approver, a check that does not live inside the conversation being used to deceive. Those steps are ordinary in a mature controls environment. What deepfakes change is that they are no longer optional, and that the record of whether they happened is what separates a controlled payment from a hope.
The reference implementation of AuthorityGate and ConductRecord is open source. It lives at github.com/saffronandindia/headlights-oss, Apache 2.0 licensed and free to install. The repository is public now.
Sources
- Arup revealed as victim of $25 million deepfake scam involving Hong Kong employee (CNN Business)
- Arup deepfake fraud: engineering giant confirms Hong Kong scam (Fortune)
- British engineering giant Arup revealed as $25 million deepfake scam victim (AOL)